More than a few Chief Information Security Officers (CISO) must be nervous. In fact, it may be forcing corporations who do not have a CISO to rethink that strategy. Often the CISO position is folded in with or serves under the Chief Information Officer (CIO) or even, if the CIO reports to the Chief Financial Officer (CFO), as is the case in some organizations, two layers under the seat of power. So, the person charged with security risk management may not have the authority to get things done.

With the recent spate of high profile data breaches, translating the message up the chain or even the perception that the CISO’s job is not important enough to be a direct report may not cut it anymore. Shareholders and customers want answers.

Consumers also are flocking to convenient online sites, where they have few other choices than to use a credit or debit card.

Data breaches, whether prolonged or short lived, especially those that compromise customer information, are black eyes that eventually will force consumers to keep their credit and debit cards at home. Having the man or woman in charge of mitigating IT risk fairly far down the food chain doesn’t look good, no matter whose ear he or she may have.

In my earlier post, “Security is Not the Point,” I explained why to most people security is an annoying layer of cost and inconvenience. I said that no one wants security, they want the benefits of security. But if security is not the point, what is?

The last time you had to do some tedious paperwork, you were no doubt muttering under your breath that you’d rather be doing the actual project and not filling out forms and writing a report. We are all like that. Documenting tasks and processes is not fun.

Compliance is like that, too. It is considered the necessary evil, the tedious paperwork required by “the powers-that-be” to meet some basic level of due care. Compliance requirements define the “minimums” for demonstrating that the business is being run responsibly.

My previous post briefly described the data that makes up a user’s Facebook data and this post will try to shed light on who owns and regulates this data.

I am probably not going out on a limb here to say that the majority of Facebook’s registered users have not read the privacy statement. I was like the majority of users myself, in that I did not fully read Facebook’s privacy statement upon signing up for the service. Facebook created a social media network online, and there were few requirements previously defined for such types of business in America or the world. A lack of rules, combined with users constantly uploading more data, has allowed Facebook to maximize the use of your data and create a behemoth of a social media networking business.

Over time, Facebook has added features to allow users to self regulate their data by limiting others (whether Facebook users or general Internet public) from viewing certain data that one might want to share with only family or specific friends. This provided a user with the sense of ownership and privacy as the creator of the data could block or restrict friends and search providers from viewing their data. Zuckerberg is even quoted by WSJ as saying “The power here is that people have information they don’t want to share with everyone. If you give people very tight control over what information they are sharing or who they are sharing with they will actually share more. One example is that one third of our users share their cell phone number on the site”.

In addition to privacy controls, Facebook gave users more insight into their data through a feature that allowed a user to download ‘all’ their data through a button in the account settings. I placed ‘all’ in quotes because, while you could download your Facebook profile data, this did not include data including wall comments, links, information tagged by other Facebook users or any other data that you created during your Facebook experience. Combined, privacy controls and data export are the main forms of control that Facebook gives to their users for ownership of profile, pictures, notes, links, tags and comment data since Facebook went live in 2004.

So now you might be thinking problem solved; restricting your privacy settings on the viewing of information and downloading ‘all’ your information fixes everything for you. Well, I wish that was the case with Facebook business operations. An open letter by 10 Security professionals to the US Congress highlighted that this was not simply the way things worked with Facebook and third party Facebook developer’s operations. Facebook has reserved the right to change their privacy statement at any time with no notice to the user and Facebook has done this a few times, to an uproar from their user base. As Facebook has grown in popularity and company footprint, security professionals along with media outlets have started publishing security studies painting Facebook in a darker light.

As highlighted by US Congress in December 2011, Facebook was not respecting user’s privacy when sharing information to advertisers or when automatically enabling contradicting privacy settings on new services to their users. Facebook settled with the US Congress on seven charges of deceiving the user by telling them they could keep their data private. From my perspective it appears that Facebook is willing to contradict their user’s privacy to suit their best interest for shareholders and business revenue.

In additional privacy mishaps, Facebook was found by an Austrian student to be storing user details even after a user deactivates the service. This started an EU versus Facebook initiative over the Internet that put heat on Facebook to give more details on length of time data was being retained for current and deactivated users. Holding on to user data is lucrative for Facebook as this allows them to claim more users in selling to advertising subscribers as well as promoting the total user base for private investor bottom lines.

So the next step one might ask is “who regulates my data held by social media companies?” Summed up quickly today, no one outside Facebook is regulating your data and little insight is given to users on this process. The governments of the US, along with the European Union, are looking at means of regulating Facebook’s operations using things such as data privacy regulations and the US/EU Safe Harbor Act. With Facebook announcing their initial public offering of five billion USD there is soon to be more regulations, at least financially, to hit Facebook in the future.

As an outcome of the December 2011 investigation by the United States Congress, Facebook has agreed to independent audits by third parties, presumably of their choosing. I have not been able to identify details regarding the subject of these audits or ramifications for findings from an audit. Facebook has also updated the public statement and communication to developers and now states that deactivated users will have accounts deleted after 30 days. I have yet to see a change in Facebook’s operations for respecting their user’s privacy settings when pertaining to third parties and other outside entities – in fairness they insist data is not directly shared for advertising; although some British folks may disagree with Facebook claims of advertising privacy.

From an information security perspective, my ‘free’ advice to businesses, developers and end users, do not accesses or give more data than necessary for your user experience as this only brings trouble in the long run. While I would like to give Facebook the benefit of the doubt in their operations, I personally only give data that I am comfortable sharing with the world even though it is limited to friends. In global business data privacy regulations vary significantly between countries, with regulations come requirements and everyone knows that failing requirements results to fines so business need to think about only access appropriate information and accordingly restricting access. For the end user, or Facebook’s product, remember that Facebook can change their privacy statement at their leisure and Facebook is ultimately a business with stakeholders that are eager to see quarter after quarter growth.

I hope this post has been insightful to you; please check back soon for my future post on how your Facebook data is being used and the different entities that want to access your data.

A book I contributed to is available on Amazon. Warren Axelrod and Jennifer Bayuk edited this collection of essays on security and privacy.
I think it is a special, unique view of how physical and logical threats, plus dynamic business and compliance trends are changing how security needs to be done. My chapter was on security as it relates to the Transportation industry. I took a logical and physical view of the problem.

Here is a post written by an end user security professional who will be known here simply as Padded Arrow. I believe you will find his perspectives on IT, security, risk management, and technology to be enlightening. -sh

Mike Holmes is a Canadian building contractor whose popular TV show tag line is "Make it right". Not just a catchy phrase but rather his way of working. If you have watched his shows, one of the underlying messages is “Building codes are MINIMUM guidelines.” Often, the right way to do the job is not in the same league as "code." Mike prefers to "Make it right" rather than "make it code."

What does this have to do with IT and Security? Many regulatory requirements (SOX, GLBA, HIPAA, etc.) come from a need to "raise the bar" on the quality of IT construction, safety and security. Too often, IT projects are a knee-jerk reaction to the current challenges in the IT environment, both real and perceived (aka marketing hype). Sometimes, regulations (building codes) seem to have more influence to direct IT than what is the best course of action for the company. At what point does a company decide to plan its IT strategy with the business and long term survivability as a priority?

My team and I are spending more time talking to end user business managers about compliance lately. Here are some of the inquiries we've received.

1. The area of compliance is very complex. My organization is multinational and has several overseas locations – what is the best way to approach compliance from the corporate standpoint?

2. Massachusetts has just enacted a new data privacy law “201 CMR 17.00 "Standards for the protection of personal information"; how does this law differ from others and what should organizations do to prepare for similar laws?

3. Is it true that payments that are legal in many countries are prohibited by the Foreign Corrupt Practices Act (FPCA)? a. How do organizations avoid issues with FCPA? b. What are an organization’s core responsibilities under FCPA?

4. How can organizations figure out what they should be doing in terms of preparing and executing electronic discovery?

5. What are the latest trends in domestic partner law and how will they impact employers?